The present invention relates to communication networks, and, more particularly, to processing traffic anomalies in communication networks.
Communication networks are susceptible to malicious attacks designed to degrade and/or disable their functionality. For example, communication networks may be targeted with denial of service attacks, viruses, worms, and/or other types of destructive mechanisms. In some networks, communication between certain nodes and/or subnets may be of increased importance. Unfortunately, attacks may involve the transmission of communication traffic through a network that is interspersed with large amounts of valid traffic. When anomalous traffic associated with an attack is detected, blocking all traffic to protect the network from the attack may, unfortunately, block significant amounts of valid traffic. Moreover, communication between certain nodes and/or subnets may be of such importance that blocking traffic between such entities should only be done as a last resort.
More specifically, a network operator may be faced with the following guidelines for managing a network. First, within a subnet, network administrators should be able to communicate with firewalls. Second, within a subnet, certain clients should be able to communicate with certain other clients and/or certain nodes or servers. Worms may be able to enter a subnet through Internet or Extranet firewalls using a legitimate destination port by design and/or by an Internet Protocol destination address by chance or design.
One or more factors may be used to identify anomalous traffic that may be indicative of an attack or propagation of a virus or worm. One factor may be that the arriving packet destination address values are randomly distributed values within the assigned subnet space, but are not the values appropriate to the machines within the subnet that support the application designated by the destination port. Another factor may be that the rate of packets arriving for the destination port is higher than normal. Ideally, an administrator may configure one or more firewalls to begin blocking some or all traffic with the foregoing characteristics. Unfortunately, human intervention is not always reliable, sufficiently fast, and/or even possible. Delayed intervention may result in the collapse of essential services within the subnet.